Check: CSCO-NC-000010
Cisco ISE NAC STIG:
CSCO-NC-000010
(in versions v1 r2 through v1 r1)
Title
The Cisco ISE must use TLS 1.2, at a minimum, to protect the confidentiality of information passed between the endpoint agent and the Cisco ISE. (Cat I impact)
Discussion
The agent may pass information about the endpoint to the Cisco ISE, which may be sensitive. Using older unauthorized versions or incorrectly configuring protocol negotiation makes the gateway vulnerable to known and unknown attacks that exploit vulnerabilities in this protocol.
Check Content
Verify that only TLS 1.2 is enabled. From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked. If TLS 1.0 or 1.1 is enabled, this is a finding.
Fix Text
Configure ISE so that only TLS 1.2 is enabled: From the Web Admin portal: 1. Navigate to Administration >> System >> Settings >> Security Settings. 2. Ensure "Allow TLS1.0", "Allow TLS1.1", and "Allow legacy unsafe TLS renegotiation for ISE as a client" are unchecked.
Additional Identifiers
Rule ID: SV-242575r803518_rule
Vulnerability ID: V-242575
Group Title: SRG-NET-000062-NAC-000340
Expert Comments
CCIs
Number | Definition |
---|---|
CCI-000068 |
The information system implements cryptographic mechanisms to protect the confidentiality of remote access sessions. |
Controls
Number | Title |
---|---|
AC-17 (2) |
Protection Of Confidentiality / Integrity Using Encryption |